[TUTORIAL] PMG 7/Debian 11 with fail2ban

[Mecanik]

This is a very misleading and cumbersome thread. The default tutorial from https://pve.proxmox.com/wiki/Fail2ban works perfectly fine even on the latest 7.3.

When I see stuff like "you can remove iptables using command apt-get remove iptables" I get sick.

There is no need to do anything specified in this thread, as it will just over complicate everything and eventually break basic functionality.

I suggest mods to delete this thread.

 

[poetry]

Anyone who is configuring public access (access from any public IP) for proxmox mail gateway admin interface should be forbidden for configuring anything in my opinion. This goes against any security principle I can think off and it could and will lead to eventual data breach meaning someone will gain access to the admin interface.
Even when configuring https://pmg.proxmox.com/wiki/index.php/Quarantine_Web_Interface_Via_Nginx_Proxy I am a bit hesitant because I don't know how well all subsystems are made when exposed to public access even if it's just a subset of API just for the quarantine.

Again please think about your data and how bad is going to be for you or for your company when it's exposed before configuring something as public access. Why do we have so many data breaches because people do not understand the implications of what they are doing.

 

[michabbs]

Anyone has idea how to join fail2ban with nginx quarantine proxy (as described here)?

In my opinion this proxy is essential if you expose web interface to the real world. But then all connections come from localhost (from pmg point of view), so... fail2ban becomes useless.

In theory the original IP is known - it's shown in ngnix log. But could fail2ban be smart enough to read it? How? Any ideas?